Title: Execution of Untrusted Macros Due to Improper Certificate Validation
Announced: July 25, 2022
Fixed in: LibreOffice 7.2.7/7.3.2
LibreOffice supports the execution of macros. By default LibreOffice executes macros only if they are stored in a trusted file location or if they are signed by a trusted certificate.
To determine whether a macro is signed by a trusted author, LibreOffice matches the used certificate with the list of trusted certificates stored in the user's configuration database.
An Improper Certificate Validation vulnerability in LibreOffice existed where determining if a macro was signed by a trusted author was done by only matching the serial number and issuer string of the used certificate with that of a trusted certificate. This is not sufficient to verify that the macro was actually signed with the certificate. An adversary could therefore create an arbitrary certificate with a serial number and an issuer string identical to a trusted certificate which LibreOffice would present as belonging to the trusted author, potentially leading to the user to execute arbitrary code contained in macros improperly trusted.
In versions >= 7.2.7 (and >= 7.3.2) certificate matching is amended to ensure the certificates match correctly.
This vulnerability is not exploitable if macro security level is set to very high or if the user has no trusted certificates.
- OpenSource Security GmbH on behalf of the German Federal Office for Information Security